- Jul 07, 2022
-
-
Greg Kroah-Hartman authored
Link: https://lore.kernel.org/r/20220705115618.410217782@linuxfoundation.org Tested-by:
Ronald Warsow <rwarsow@gmx.de> Tested-by:
Jon Hunter <jonathanh@nvidia.com> Tested-by:
Justin M. Forbes <jforbes@fedoraproject.org> Tested-by:
Fenil Jain <fkjainco@gmail.com> Tested-by:
Florian Fainelli <f.fainelli@gmail.com> Tested-by:
Ron Economos <re@w6rz.net> Tested-by:
Linux Kernel Functional Testing <lkft@linaro.org> Tested-by:
Rudi Heitbaum <rudi@heitbaum.com> Tested-by:
Sudip Mukherjee <sudip.mukherjee@codethink.co.uk> Tested-by:
Guenter Roeck <linux@roeck-us.net> Tested-by:
Shuah Khan <skhan@linuxfoundation.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
Oleksandr Tyshchenko authored
commit b75cd218 upstream. During the PV driver life cycle the mappings are added to the RB-tree by set_foreign_p2m_mapping(), which is called from gnttab_map_refs() and are removed by clear_foreign_p2m_mapping() which is called from gnttab_unmap_refs(). As both functions end up calling __set_phys_to_machine_multi() which updates the RB-tree, this function can be called concurrently. There is already a "p2m_lock" to protect against concurrent accesses, but the problem is that the first read of "phys_to_mach.rb_node" in __set_phys_to_machine_multi() is not covered by it, so this might lead to the incorrect mappings update (removing in our case) in RB-tree. In my environment the related issue happens rarely and only when PV net backend is running, the xen_add_phys_to_mach_entry() claims that it cannot add new pfn <-> mfn mapping to the tree since it is already exists which results in a failure when mapping foreign pages. But there might be other bad consequences related to the non-protected root reads such use-after-free, etc. While at it, also fix the similar usage in __pfn_to_mfn(), so initialize "struct rb_node *n" with the "p2m_lock" held in both functions to avoid possible bad consequences. This is CVE-2022-33744 / XSA-406. Signed-off-by:
Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com> Reviewed-by:
Stefano Stabellini <sstabellini@kernel.org> Signed-off-by:
Juergen Gross <jgross@suse.com> Signed-off-by:
-
Jan Beulich authored
commit f63c2c20 upstream. The commit referenced below moved the invocation past the "next" label, without any explanation. In fact this allows misbehaving backends undue control over the domain the frontend runs in, as earlier detected errors require the skb to not be freed (it may be retained for later processing via xennet_move_rx_slot(), or it may simply be unsafe to have it freed). This is CVE-2022-33743 / XSA-405. Fixes: 6c5aa6fc ("xen networking: add basic XDP support for xen-netfront") Signed-off-by:
Jan Beulich <jbeulich@suse.com> Reviewed-by:
-
Roger Pau Monne authored
commit 2400617d upstream. Split the current bounce buffering logic used with persistent grants into it's own option, and allow enabling it independently of persistent grants. This allows to reuse the same code paths to perform the bounce buffering required to avoid leaking contiguous data in shared pages not part of the request fragments. Reporting whether the backend is to be trusted can be done using a module parameter, or from the xenstore frontend path as set by the toolstack when adding the device. This is CVE-2022-33742, part of XSA-403. Signed-off-by:
Roger Pau Monné <roger.pau@citrix.com> Reviewed-by:
-
Roger Pau Monne authored
commit 4491001c upstream. Bounce all data on the skbs to be transmitted into zeroed pages if the backend is untrusted. This avoids leaking data present in the pages shared with the backend but not part of the skb fragments. This requires introducing a new helper in order to allocate skbs with a size multiple of XEN_PAGE_SIZE so we don't leak contiguous data on the granted pages. Reporting whether the backend is to be trusted can be done using a module parameter, or from the xenstore frontend path as set by the toolstack when adding the device. This is CVE-2022-33741, part of XSA-403. Signed-off-by:
-
Roger Pau Monne authored
commit 307c8de2 upstream. When allocating pages to be used for shared communication with the backend always zero them, this avoids leaking unintended data present on the pages. This is CVE-2022-33740, part of XSA-403. Signed-off-by:
-
Roger Pau Monne authored
commit 2f446ffe upstream. When allocating pages to be used for shared communication with the backend always zero them, this avoids leaking unintended data present on the pages. This is CVE-2022-26365, part of XSA-403. Signed-off-by:
-
Yang Yingliang authored
[ Upstream commit d0e51022 ] If platform_device_add() fails, it no need to call platform_device_del(), split platform_device_unregister() into platform_device_del/put(), so platform_device_put() can be called separately. Fixes: 8808a793 ("ibmaem: new driver for power/energy/temp meters in IBM System X hardware") Reported-by:
Hulk Robot <hulkci@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Link: https://lore.kernel.org/r/20220701074153.4021556-1-yangyingliang@huawei.com Signed-off-by:
Sasha Levin <sashal@kernel.org>
-
Casper Andersson authored
[ Upstream commit 9c5de246 ] When adding/deleting mdb entries on other net_devices, eg., tap interfaces, it should not crash. Fixes: 3bacfccd ("net: sparx5: Add mdb handlers") Signed-off-by:
Casper Andersson <casper.casan@gmail.com> Reviewed-by:
Steen Hegelund <Steen.Hegelund@microchip.com> Link: https://lore.kernel.org/r/20220630122226.316812-1-casper.casan@gmail.com Signed-off-by:
Jakub Kicinski <kuba@kernel.org> Signed-off-by:
-
Casper Andersson authored
[ Upstream commit 1c1ed5a4 ] Handle adding and removing MDB entries for host Signed-off-by:
Paolo Abeni <pabeni@redhat.com> Signed-off-by:
-
Carlos Llamas authored
[ Upstream commit 20b82643 ] Kernel uapi headers are supposed to use __[us]{8,16,32,64} types defined by <linux/types.h> as opposed to 'uint32_t' and similar. See [1] for the relevant discussion about this topic. In this particular case, the usage of 'uint64_t' escaped headers_check as these macros are not being called here. However, the following program triggers a compilation error: #include <drm/drm_fourcc.h> int main() { unsigned long x = AMD_FMT_MOD_CLEAR(RB); return 0; } gcc error: drm.c:5:27: error: ‘uint64_t’ undeclared (first use in this function) 5 | unsigned long x = AMD_FMT_MOD_CLEAR(RB); | ^~~~~~~~~~~~~~~~~ This patch changes AMD_FMT_MOD_{SET,CLEAR} macros to use the correct integer types, which fixes the above issue. [1] https://lkml.org/lkml/2019/6/5/18 Fixes: 8ba16d59 ("drm/fourcc: Add AMD DRM modifiers.") Signed-off-by:
Carlos Llamas <cmllamas@google.com> Reviewed-by:
Simon Ser <contact@emersion.fr> Signed-off-by:
Alex Deucher <alexander.deucher@amd.com> Signed-off-by:
-
Hans de Goede authored
[ Upstream commit aacb455d ] On some Panasonic models the volume up/down/mute keypresses get reported both through the Panasonic ACPI HKEY interface as well as through the atkbd device. Filter out the atkbd scan-codes for these to avoid reporting presses twice. Note normally we would leave the filtering of these to userspace by mapping the scan-codes to KEY_UNKNOWN through /lib/udev/hwdb.d/60-keyboard.hwdb. However in this case that would cause regressions since we were filtering the Panasonic ACPI HKEY events before, so filter these in the kernel. Fixes: ed83c917 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug") Reported-and-tested-by:
Stefan Seyfried <seife+kernel@b1-systems.com> Reported-and-tested-by:
Kenneth Chan <kenneth.t.chan@gmail.com> Signed-off-by:
Hans de Goede <hdegoede@redhat.com> Reviewed-by:
Andy Shevchenko <andriy.shevchenko@linux.intel.com> Link: https://lore.kernel.org/r/20220624112340.10130-7-hdegoede@redhat.com Signed-off-by:
-
Hans de Goede authored
[ Upstream commit 1f2c9de8 ] The brightness key-presses might also get reported by the ACPI video bus, check for this and in this case don't report the presses to avoid reporting 2 presses for a single key-press. Fixes: ed83c917 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug") Reported-and-tested-by:
-
Hans de Goede authored
[ Upstream commit 83a5ddc3 ] In hindsight blindly throwing away most of the key-press events is not a good idea. So revert commit ed83c917 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug"). Fixes: ed83c917 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug") Reported-and-tested-by:
-
Hans de Goede authored
[ Upstream commit fe4326c8 ] Sort includes alphabetically, small cleanup patch in preparation of further changes. Fixes: ed83c917 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug") Signed-off-by:
-
Stefan Seyfried authored
[ Upstream commit 65a3e6c8 ] In the definition of panasonic_keymap[] the key codes are given in decimal, later checks are done with hexadecimal values, which does not help in understanding the code. Additionally use two helper variables to shorten the code and make the logic more obvious. Fixes: ed83c917 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug") Signed-off-by:
-
Liang He authored
[ Upstream commit 4ff5a9b6 ] In qoriq_cpufreq_probe(), of_find_matching_node() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore. Fixes: 157f5276 ("cpufreq: qoriq: convert to a platform driver") [ Viresh: Fixed Author's name in commit log ] Signed-off-by:
Liang He <windhl@126.com> Signed-off-by:
Viresh Kumar <viresh.kumar@linaro.org> Signed-off-by:
-
Rob Clark authored
[ Upstream commit 08de2141 ] This was a typo, we didn't actually want to return zero. Fixes: a61acbbe ("drm/msm: Track "seqno" fences by idr") Signed-off-by:
Rob Clark <robdclark@chromium.org> Reviewed-by:
Dmitry Baryshkov <dmitry.baryshkov@linaro.org> Patchwork: https://patchwork.freedesktop.org/patch/491145/ Link: https://lore.kernel.org/r/20220624184528.4036837-1-robdclark@gmail.com Signed-off-by:
-
Anshuman Gupta authored
[ Upstream commit 7d23a80d ] Currently i915 disables d3cold for i915 pci dev. This blocks D3 for i915 gfx pci upstream bridge (VSP). Let's disable d3cold at gfx root port to make sure that i915 gfx VSP can transition to D3 to save some power. We don't need to disable/enable d3cold in rpm, s2idle suspend/resume handlers. Disabling/Enabling d3cold at gfx root port in probe/remove phase is sufficient. Fixes: 1a085e23 ("drm/i915: Disable D3Cold in s2idle and runtime pm") Cc: Rodrigo Vivi <rodrigo.vivi@intel.com> Signed-off-by:
Anshuman Gupta <anshuman.gupta@intel.com> Reviewed-by:
Badal Nilawar <badal.nilawar@intel.com> Acked-by:
Rodrigo Vivi <rodrigo.vivi@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20220616122249.5007-1-anshuman.gupta@intel.com (cherry picked from commit 138c2fca) Signed-off-by:
Jani Nikula <jani.nikula@intel.com> Signed-off-by:
-
katrinzhou authored
[ Upstream commit 9efdd519 ] Add missing else in set_proto_ctx_param() to fix coverity issue. Addresses-Coverity: ("Unused value") Fixes: d4433c76 ("drm/i915/gem: Use the proto-context to handle create parameters (v5)") Suggested-by:
Tvrtko Ursulin <tvrtko.ursulin@intel.com> Signed-off-by:
katrinzhou <katrinzhou@tencent.com> [tursulin: fixup alignment] Signed-off-by:
-
Hans de Goede authored
[ Upstream commit a27a1e35 ] Add an allow_v4_dytc module parameter to allow users to easily test if DYTC version 4 platform-profiles work on their laptop. Fixes: 599482c5 ("platform/x86: ideapad-laptop: Add platform support for Ideapad 5 Pro 16ACH6-82L5") Link: https://bugzilla.kernel.org/show_bug.cgi?id=213297 Signed-off-by:
-
Stephen Boyd authored
[ Upstream commit c28d76d3 ] The 'vsync_cnt' is used to count the number of frames for a crtc. Unfortunately, we increment the count after waking up userspace via dpu_crtc_vblank_callback() calling drm_crtc_handle_vblank(). drm_crtc_handle_vblank() wakes up userspace processes that have called drm_wait_vblank_ioctl(), and if that ioctl is expecting the count to increase it won't. Increment the count before calling into the drm APIs so that we don't have to worry about ordering the increment with anything else in drm. This fixes a software video decode test that fails to see frame counts increase on Trogdor boards. Cc: Mark Yacoub <markyacoub@chromium.org> Cc: Jessica Zhang <quic_jesszhan@quicinc.com> Fixes: 885455d6 ("drm/msm: Change dpu_crtc_get_vblank_counter to use vsync count.") Signed-off-by:
Stephen Boyd <swboyd@chromium.org> Reviewed-by:
Abhinav Kumar <quic_abhinavk@quicinc.com> Reviewed-by:
-
Steve French authored
commit 93ed91c0 upstream. Add ifdef around nodfs variable from patch: "cifs: don't call cifs_dfs_query_info_nonascii_quirk() if nodfs was set" which is unused when CONFIG_DFS_UPCALL is not set. Signed-off-by:
Steve French <stfrench@microsoft.com> Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com> Signed-off-by:
-
Jakub Kicinski authored
commit ff1fa208 upstream. Eric reports that syzbot made short work out of my speculative fix. Indeed when queue gets detached its tfile->tun remains, so we would try to stop NAPI twice with a detach(), close() sequence. Alternative fix would be to move tun_napi_disable() to tun_detach_all() and let the NAPI run after the queue has been detached. Fixes: a8fc8cb5 ("net: tun: stop NAPI when detaching queues") Reported-by:
syzbot <syzkaller@googlegroups.com> Reported-by:
Eric Dumazet <edumazet@google.com> Reviewed-by:
-
Petr Machata authored
commit 665030fd upstream. In mlxsw_sp_nexthop6_init(), a next hop is always added to the router linked list, and mlxsw_sp_nexthop_type_init() is invoked afterwards. When that function results in an error, the next hop will not have been removed from the linked list. As the error is propagated upwards and the caller frees the next hop object, the linked list ends up holding an invalid object. A similar issue comes up with mlxsw_sp_nexthop4_init(), where rollback block does exist, however does not include the linked list removal. Both IPv6 and IPv4 next hops have a similar issue with next-hop counter rollbacks. As these were introduced in the same patchset as the next hop linked list, include the cleanup in this patch. Fixes: dbe4598c ("mlxsw: spectrum_router: Keep nexthops in a linked list") Fixes: a5390278 ("mlxsw: spectrum: Add support for setting counters on nexthops") Signed-off-by:
Petr Machata <petrm@nvidia.com> Reviewed-by:
Amit Cohen <amcohen@nvidia.com> Signed-off-by:
Ido Schimmel <idosch@nvidia.com> Link: https://lore.kernel.org/r/20220629070205.803952-1-idosch@nvidia.com Signed-off-by:
-
Eric Dumazet authored
commit 4e43e64d upstream. As reported by syzbot, we should not use rcu_dereference() when rcu_read_lock() is not held. WARNING: suspicious RCU usage 5.19.0-rc2-syzkaller #0 Not tainted net/ipv6/addrconf.c:5175 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz-executor326/3617: #0: ffffffff8d5848e8 (rtnl_mutex){+.+.}-{3:3}, at: netlink_dump+0xae/0xc20 net/netlink/af_netlink.c:2223 stack backtrace: CPU: 0 PID: 3617 Comm: syz-executor326 Not tainted 5.19.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 in6_dump_addrs+0x12d1/0x1790 net/ipv6/addrconf.c:5175 inet6_dump_addr+0x9c1/0xb50 net/ipv6/addrconf.c:5300 netlink_dump+0x541/0xc20 net/netlink/af_netlink.c:2275 __netlink_dump_start+0x647/0x900 net/netlink/af_netlink.c:2380 netlink_dump_start include/linux/netlink.h:245 [inline] rtnetlink_rcv_msg+0x73e/0xc90 net/core/rtnetlink.c:6046 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734 ____sys_sendmsg+0x6eb/0x810 net/socket.c:2492 ___sys_sendmsg+0xf3/0x170 net/socket.c:2546 __sys_sendmsg net/socket.c:2575 [inline] __do_sys_sendmsg net/socket.c:2584 [inline] __se_sys_sendmsg net/socket.c:2582 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2582 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Fixes: 88e2ca30 ("mld: convert ifmcaddr6 to RCU") Reported-by:
-
katrinzhou authored
commit adabdd8f upstream. When kcalloc fails, ipip6_tunnel_get_prl() should return -ENOMEM. Move the position of label "out" to return correctly. Addresses-Coverity: ("Unused value") Fixes: 300aaeea ("[IPV6] SIT: Add SIOCGETPRL ioctl to get/dump PRL.") Signed-off-by:
Eric <Dumazet<edumazet@google.com> Reviewed-by:
David Ahern <dsahern@kernel.org> Link: https://lore.kernel.org/r/20220628035030.1039171-1-zys.zljxml@gmail.com Signed-off-by:
-
Alan Adamson authored
commit 34ad6151 upstream. If the clear_ids attribute is set to true, the EUI/GUID/UUID is cleared for the passthru target. By default, loop targets will set clear_ids to true. This resolves an issue where a connect to a passthru target fails when using a trtype of 'loop' because EUI/GUID/UUID is not unique. Fixes: 2079f41e ("nvme: check that EUI/GUID/UUID are globally unique") Signed-off-by:
Alan Adamson <alan.adamson@oracle.com> Reviewed-by:
Keith Busch <kbusch@kernel.org> Reviewed-by:
Chaitanya Kulkarni <kch@nvidia.com> Signed-off-by:
Christoph Hellwig <hch@lst.de> Signed-off-by:
-
Amir Goldstein authored
commit 8698e3ba upstream. Commit ceaf69f8 ("fanotify: do not allow setting dirent events in mask of non-dir") added restrictions about setting dirent events in the mask of a non-dir inode mark, which does not make any sense. For backward compatibility, these restictions were added only to new (v5.17+) APIs. It also does not make any sense to set the flags FAN_EVENT_ON_CHILD or FAN_ONDIR in the mask of a non-dir inode. Add these flags to the dir-only restriction of the new APIs as well. Move the check of the dir-only flags for new APIs into the helper fanotify_events_supported(), which is only called for FAN_MARK_ADD, because there is no need to error on an attempt to remove the dir-only flags from non-dir inode. Fixes: ceaf69f8 ("fanotify: do not allow setting dirent events in mask of non-dir") Link: https://lore.kernel.org/linux-fsdevel/20220627113224.kr2725conevh53u4@quack3.lan/ Link: https://lore.kernel.org/r/20220627174719.2838175-1-amir73il@gmail.com Signed-off-by:
Amir Goldstein <amir73il@gmail.com> Signed-off-by:
Jan Kara <jack@suse.cz> Signed-off-by:
-
Eric Dumazet authored
commit 853a7614 upstream. Recently added debug in commit f9aefd6b ("net: warn if mac header was not set") caught a bug in skb_tunnel_check_pmtu(), as shown in this syzbot report [1]. In ndo_start_xmit() paths, there is really no need to use skb->mac_header, because skb->data is supposed to point at it. [1] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_mac_header_len include/linux/skbuff.h:2784 [inline] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413 Modules linked in: CPU: 1 PID: 8604 Comm: syz-executor.3 Not tainted 5.19.0-rc2-syzkaller-00443-g8720bd951b8e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_mac_header_len include/linux/skbuff.h:2784 [inline] RIP: 0010:skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413 Code: 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 84 b9 fe ff ff 4c 89 ff e8 7c 0f d7 f9 e9 ac fe ff ff e8 c2 13 8a f9 <0f> 0b e9 28 fc ff ff e8 b6 13 8a f9 48 8b 54 24 70 48 b8 00 00 00 RSP: 0018:ffffc90002e4f520 EFLAGS: 00010212 RAX: 0000000000000324 RBX: ffff88804d5fd500 RCX: ffffc90005b52000 RDX: 0000000000040000 RSI: ffffffff87f05e3e RDI: 0000000000000003 RBP: ffffc90002e4f650 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000000 R12: 000000000000ffff R13: 0000000000000000 R14: 000000000000ffcd R15: 000000000000001f FS: 00007f3babba9700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000075319000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> geneve_xmit_skb drivers/net/geneve.c:927 [inline] geneve_xmit+0xcf8/0x35d0 drivers/net/geneve.c:1107 __netdev_start_xmit include/linux/netdevice.h:4805 [inline] netdev_start_xmit include/linux/netdevice.h:4819 [inline] __dev_direct_xmit+0x500/0x730 net/core/dev.c:4309 dev_direct_xmit include/linux/netdevice.h:3007 [inline] packet_direct_xmit+0x1b8/0x2c0 net/packet/af_packet.c:282 packet_snd net/packet/af_packet.c:3073 [inline] packet_sendmsg+0x21f4/0x55d0 net/packet/af_packet.c:3104 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734 ____sys_sendmsg+0x6eb/0x810 net/socket.c:2489 ___sys_sendmsg+0xf3/0x170 net/socket.c:2543 __sys_sendmsg net/socket.c:2572 [inline] __do_sys_sendmsg net/socket.c:2581 [inline] __se_sys_sendmsg net/socket.c:2579 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f3baaa89109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3babba9168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f3baab9bf60 RCX: 00007f3baaa89109 RDX: 0000000000000000 RSI: 0000000020000a00 RDI: 0000000000000003 RBP: 00007f3baaae305d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe74f2543f R14: 00007f3babba9300 R15: 0000000000022000 </TASK> Fixes: 4cb47a86 ("tunnels: PMTU discovery support for directly bridged IP packets") Reported-by:
Stefano Brivio <sbrivio@redhat.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Hans de Goede authored
commit 3a0cf7ab upstream. Some systems have an ACPI video bus but not ACPI video devices with backlight capability. On these devices brightness key-presses are (logically) not reported through the ACPI video bus. Change how acpi_video_handles_brightness_key_presses() determines if brightness key-presses are handled by the ACPI video driver to avoid vendor specific drivers/platform/x86 drivers filtering out their brightness key-presses even though they are the only ones reporting these presses. Fixes: ed83c917 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug") Reported-and-tested-by:
Rafael J. Wysocki <rafael.j.wysocki@intel.com> Reviewed-by:
-
Sagi Grimberg authored
commit ed0691cf upstream. Data digest calculation iterates over command mapped iovec. However since commit bac04454 we unmap the iovec before we handle the data digest, and since commit 69b85e1f we clear nr_mapped when we unmap the iov. Instead of open-coding the command iov traversal, simply call crypto_ahash_digest with the command sg that is already allocated (we already do that for the send path). Rename nvmet_tcp_send_ddgst to nvmet_tcp_calc_ddgst and call it from send and recv paths. Fixes: 69b85e1f ("nvmet-tcp: add an helper to free the cmd buffers") Fixes: bac04454 ("nvmet-tcp: fix kmap leak when data digest in use") Signed-off-by:
Sagi Grimberg <sagi@grimberg.me> Signed-off-by:
-
Eric Dumazet authored
commit 6f0012e3 upstream. When the third packet of 3WHS connection establishment contains payload, it is added into socket receive queue without the XFRM check and the drop of connection tracking context. This means that if the data is left unread in the socket receive queue, conntrack module can not be unloaded. As most applications usually reads the incoming data immediately after accept(), bug has been hiding for quite a long time. Commit 68822bdf ("net: generalize skb freeing deferral to per-cpu lists") exposed this bug because even if the application reads this data, the skb with nfct state could stay in a per-cpu cache for an arbitrary time, if said cpu no longer process RX softirqs. Many thanks to Ilya Maximets for reporting this issue, and for testing various patches: https://lore.kernel.org/netdev/20220619003919.394622-1-i.maximets@ovn.org/ Note that I also added a missing xfrm4_policy_check() call, although this is probably not a big issue, as the SYN packet should have been dropped earlier. Fixes: b59c2701 ("[NETFILTER]: Keep conntrack reference until IPsec policy checks are done") Reported-by:
Ilya Maximets <i.maximets@ovn.org> Signed-off-by:
-
Stephen Boyd authored
commit 668a7a12 upstream. Offlining cpu6 and cpu7 and then onlining cpu6 hangs on sc7180-trogdor-lazor because the throttle interrupt doesn't exist. Similarly, things go sideways when suspend/resume runs. That's because the qcom_cpufreq_hw_cpu_online() and qcom_cpufreq_hw_lmh_exit() functions are calling genirq APIs with an interrupt value of '-6', i.e. -ENXIO, and that isn't good. Check the value of the throttle interrupt like we already do in other functions in this file and bail out early from lmh code to fix the hang. Reported-by:
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org> Signed-off-by:
-
Tong Zhang authored
commit 8ee9d82c upstream. epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one() we already freed the dma buffer. To fix this issue, reorder function calls like in the .probe function. BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100] Call Trace: epic_rx+0xa6/0x7e0 [epic100] epic_close+0xec/0x2f0 [epic100] unregister_netdev+0x18/0x20 epic_remove_one+0xaa/0xf0 [epic100] Fixes: 1da177e4 ("Linux-2.6.12-rc2") Reported-by:
Yilun Wu <yiluwu@cs.stonybrook.edu> Signed-off-by:
Tong Zhang <ztong0001@gmail.com> Reviewed-by:
Francois Romieu <romieu@fr.zoreil.com> Link: https://lore.kernel.org/r/20220627043351.25615-1-ztong0001@gmail.com Signed-off-by:
-
Xin Long authored
commit cb8092d7 upstream. Shuang Li reported a NULL pointer dereference crash: [] BUG: kernel NULL pointer dereference, address: 0000000000000068 [] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc] [] Call Trace: [] <IRQ> [] tipc_bcast_rcv+0xa2/0x190 [tipc] [] tipc_node_bc_rcv+0x8b/0x200 [tipc] [] tipc_rcv+0x3af/0x5b0 [tipc] [] tipc_udp_recv+0xc7/0x1e0 [tipc] It was caused by the 'l' passed into tipc_bcast_rcv() is NULL. When it creates a node in tipc_node_check_dest(), after inserting the new node into hashtable in tipc_node_create(), it creates the bc link. However, there is a gap between this insert and bc link creation, a bc packet may come in and get the node from the hashtable then try to dereference its bc link, which is NULL. This patch is to fix it by moving the bc link creation before inserting into the hashtable. Note that for a preliminary node becoming "real", the bc link creation should also be called before it's rehashed, as we don't create it for preliminary nodes. Fixes: 4cbf8ac2 ("tipc: enable creating a "preliminary" node") Reported-by:
Shuang Li <shuali@redhat.com> Signed-off-by:
Xin Long <lucien.xin@gmail.com> Acked-by:
Jon Maloy <jmaloy@redhat.com> Signed-off-by:
-
Michael Walle authored
commit eddd95b9 upstream. There are packets which doesn't have a payload. In that case, the second i2c_master_read() will have a zero length. But because the NFC controller doesn't have any data left, it will NACK the I2C read and -ENXIO will be returned. In case there is no payload, just skip the second i2c master read. Fixes: 6be88670 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver") Signed-off-by:
Michael Walle <michael@walle.cc> Reviewed-by:
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by:
-
Krzysztof authoredcommit 5a478a65 upstream. The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO. Reported-by:
Lv Ruyi <lv.ruyi@zte.com.cn> Fixes: caf6e49b ("NFC: nfcmrvl: add spi driver") Signed-off-by:
-
Hans de Goede authored
commit 8853e8ce upstream. The Ideapad 5 15ITL05 uses DYTC version 4 for platform-profile control. This has been tested successfully with the ideapad-laptop DYTC version 5 code; Add the Ideapad 5 15ITL05 to the ideapad_dytc_v4_allow_table[]. Fixes: 599482c5 ("platform/x86: ideapad-laptop: Add platform support for Ideapad 5 Pro 16ACH6-82L5") Link: https://bugzilla.kernel.org/show_bug.cgi?id=213297 Signed-off-by:
-
Jean Delvare authored
commit d2f33f0c upstream. Unlike release_mem_region(), a call to release_resource() does not free the resource, so it has to be freed explicitly to avoid a memory leak. Signed-off-by:
Jean Delvare <jdelvare@suse.de> Fixes: 455cd867 ("platform/x86: thinkpad_acpi: Add a s2idle resume quirk for a number of laptops") Cc: Mario Limonciello <mario.limonciello@amd.com> Cc: Henrique de Moraes Holschuh <hmh@hmh.eng.br> Cc: Hans de Goede <hdegoede@redhat.com> Cc: Mark Gross <markgross@kernel.org> Reviewed-by:
Mario Limonciello <mario.limonciello@amd.com> Link: https://lore.kernel.org/r/20220621155511.5b266395@endymion.delvare Signed-off-by:
-
